Let me give you some rubber-stamp answers to some frequently asked questions about PGP

The currently released freeware version of PGP is version 2.6.2 from MIT, which, for reasons of US State Department export controls, is for US and Canadian distribution only. MIT carries it on their Internet FTP site net-dist.mit.edu, in the /pub/PGP directory. A European version, 2.6.i, was released in Norway by Stale Schumacher and is available on overseas FTP sites. MIT's version is licensed under the RSAREF license from RSADSI, and may be used for noncommercial use in the US or Canada. If you just want to get the PGP user documentation package, you can get it from MIT's FTP site without export restrictions.

For a list of Internet sites and BBS systems that have PGP, send a note to Mike Johnson at mpjohnso@nyx.cs.du.edu. If you have an older version of PGP, you really should get updated. There is a version for MSDOS (but not Windows), various Unixes, OS/2, Macintosh, Amiga, Atari ST, VAX/VMS, and IBM mainframes. The source code is also available from public sources. There are Internet FTP sites and many BBS systems that carry PGP. For other PGP news, see the Internet Usenet newsgroups alt.security.pgp, talk.politics.crypto, and sci.crypt. These newsgroups are also a good place to find out where to get PGP. In many cases, there are ways to access these newsgroups via email channels. If you don't know how to get access to these newsgroups, ask your local Unix or Internet expert for help. Don't ask me to send you a copy of PGP.

Please send bug reports to pgp-bugs@mit.edu, like the manual says. It's been years since I fixed any bugs myself. If you send it there, your bug report will be distributed to several people who will log it and fix it for the next release. I also get a copy automatically. If you send it to me directly, no one gets a copy but me, and it probably won't get fixed. If you already sent the bug report to me directly, please send it again, but to pgp-bugs@mit.edu. Please give them precise details on how to reproduce the problem. What version do you have, what platform are you running on, and exactly what did you do to make it happen? Try to reproduce the bug with the current version of PGP, because bugs in earlier versions may have already been fixed. And don't report bugs by simply posting to a newsgroup, without also posting to pgp-bugs@mit.edu, because we don't always monitor those newsgroups, and even if we do, your bug report won't get into the proper channels to get fixed. You should report any problems you are having to pgp-bugs, even if you aren't sure it's a real bug.

If you get a copy of the current freeware version of PGP, make sure it has the PGP User's Guide included in the compressed released package. Under no circumstances should PGP ever be distributed without the user documentation. If you find someone distributing PGP without the manual, please tell me how to contact them, so I can ask them to stop distributing it without the manual before too many others get their hands on it. Any version of PGP found in a release package with no manual is not to be trusted. The software may have been tampered with, and even if the software is OK, no one should use PGP without understanding some of the security concepts explained in the manual, and no one should use or distribute PGP without reading the legal issues explained in the manual. Also, I would recommend that you stick with the official MIT release version of PGP, and stay away from mutant strains. MIT's version comes from me.

Often people ask me for a copy of my PGP public key, because they aren't sure if the one they have is really my key. Well, it almost certainly is. I've checked my public key countless times with people who call me up, and it's always correct. My key is so widespread that if someone tampered with it, I would surely have heard about it by now and would issue announcements to Internet newsgroups and electronic Bulletin Board Systems. My key in included in the PGP distribution package, in the file "keys.asc".

Often people ask me to sign their key with mine. I can't do that either, because I don't know those people and it would be inappropriate for me to sign a key whose owner I didn't positively identify. This topic is fully explained in the PGP manual.

My new email address is prz@acm.org. My old email addresses at NCAR may not be any good soon, so please use the new one. And if you must encrypt any mail to me, please use my newer key (from May 93) that bears the new email address in the user ID field, and not the older key that bears the old email address in the user ID.

A fully licensed commercial version of PGP is available from ViaCrypt, for any users in the USA or Canada. It's a really nice product, and has made absolutely no compromises in PGP's security. If you have been reluctant to use PGP because of legal questions, ViaCrypt PGP is just what you need. ViaCrypt has obtained all patent licenses needed to sell PGP. ViaCrypt can be reached in Phoenix, Arizona, at phone 1-602-944-0773, email .

I will read your mail much sooner if it's not encrypted. If it really should be encrypted because it is of a sensitive nature, then go ahead and encrypt it, and mark it as something I should read promptly. And please don't send me MIME-encapsulated encrypted mail. I have no MIME reader, so I can't decrypt it. Use PGP's own radix-64 ASCII transport armor, not MIME's. Also, if you are sending me encrypted email just because you just got PGP and you want to see if you can successfully send an encrypted message to someone, do not expect a reply. I suggest you find someone you know to test PGP with. I can't be everyone's guinea pig just so that they can find out if they know how to use PGP correctly. I get a lot of email like that.

I get a lot of mail from people who ask me if PGP has been compromised by any "back doors". If you get PGP from any of the sources I tell you about, such as MIT's FTP site, the answer is no. Not MIT's release, not ViaCrypt's release. I have not been pressured to put a back door into PGP by the Government. I also have not been captured by space aliens and turned into a zombie. All this paranoia is silly. If PGP had a back door put in, don't you think someone would have noticed by now? All the source code is available for public scrutiny. A lot of people out there have inspected it.

For those of you who want to donate money to my legal defense fund, please make checks payable to my lead defense attorney: Philip L. Dubois, Attorney Trust Account. Mail them to to Philip Dubois, 2305 Broadway, Boulder, Colorado, 80304 USA. Since I am now the target of a US Customs criminal investigation that has progressed to the level to a Federal grand jury, I need contributions for my legal defense. Things are coming to a head soon, so now is the time to contribute. The subject matter of the investigation relates to PGP and the export control laws on cryptographic software. If you care politically about these matters, that would be a good way to show it. Thanks for your support.

If you want to read some press stories to find out why this is an important case, see the following references:

It has been widely reported in the press that a famous RSA key, known as RSA-129, has been factored. This is an impressive achievement in factoring. Of the four principal workers on that project, three of them were involved with PGP development. RSA-129 is a 129-digit composite number that was factored into two primes, after 5000 MIP-years of computing effort by 600 people in 20 countries over eight months time using a couple thousand workstations. Many people have asked me if this means PGP is doomed because it uses RSA. PGP typically uses RSA keys that are about 307 digits long, far far out of reach of these factoring techniques. I'm told that adding 3 digits to the length of a key causes the factoring workload to double. Three more digits added doubles it again. And so on. Now figure out what that means for adding 178 digits to bring up the key size to 307 digits. PGP is safe from these kinds of factoring attacks for a long time to come.

I get a lot of mail from people who want me to explain to them some complicated ideas about cryptography. The best source of general information for that sort of thing is a book by Bruce Schneier called "Applied Cryptography", published by John Wiley and Sons, 1993.

I am available on a consulting basis to help you develop cryptographic products. That is how I make my living. If you need help in this area, feel free to call me at 303 541-0140, from 10am-7pm Mountain Time.

I hope that helps. If your email message was fan mail, I appreciate it, and hope you don't mind this form letter, especially since it was mostly designed for responding to other types of requests.